Is your business secured against DNS hijacking?

By October 23, 2020Domains

DNS hijackers are still a major threat that cannot be ignored by any business which relies on its online presence. Although the primary targets for cyberattacks are financial institutions due to potential high gain, other companies should not be caught off guard, as it may cost them not only a loss of reputation, but also revenue.

What is DNS hijacking?

The Domain Name System (DNS) is, as suggested by its name, a system which enables communication between a computer and the Internet. In simple words, DNS converts a readable human-friendly address, e.g. www.example.com into a string of machine-adjusted numbers called IP address, which is then used by a computer to identify itself and communicate with other devices. It is during that identification that attacks utilizing a common “man-in-the-middle” strategy may happen: a user is redirected to another IP address with malicious content. As a result, all the traffic destined for the compromised websites is captured and diverted to the attackers, including credit cards, email and VPN details. The threat triggered a response from ICANN, which advised all registrants to apply DNSSEC.

2020 Global DNS Threat Report reveals some alarming statistics: 79% of organizations worldwide have experienced an attack on their domains with an average cost of such attack estimated at 924,000 USD. Despite the growing percentage of businesses which recognize the importance of protecting the DNS system (77% in 2020, compared to 64% in the previous year), still 75% of DNS-based assaults were not mitigated by auto-responsive security measures. The most common result was application downtime, however, other impacts included compromised websites, reputation damage or even disclosure of sensitive information and ultimately loss of business.

Another report of DNS hijacking disturbed domain owners in August 2019 when a series of attacks on the core internet structure orchestrated by a group nicknamed Sea Turtle was revealed. At least 40 entities in 13 different countries were affected, mainly in North Africa and the Middle East, which included national security organizations, foreign affairs ministries, energy providers, DNS registrars, internet service providers and telecommunication businesses. The surprising intricacy of these threats laid in the fact, that the attackers first targeted domains of companies which provided services for the main victims and this way they were able to hijack the destined domains. What’s more, the threat actors did not stop or mitigate their actions once they were revealed to the public in reports describing their endeavors. Such a daring and massive invasion on the DNS poses questions of how to maintain global data privacy and whether the system is still stable enough to be trustworthy.

Various ways to protect against domain hijacking

Developed in the early 80’s, the Domain Name System was not equipped with any security measures. The economic potential of the Internet could not be fully exploited until some safety standards were guaranteed. Businesses refused to invest in online presence as long as their clients’ data and inside business information were exposed to potential thieves, con artists or even the competition. Throughout the years many protection mechanisms and protocols were introduced into the DNS network, from encryption to authentication methods.

DNSSEC
DNSSEC is a security feature that authenticates DNS data. If your local DNS server supports DNSSEC, domains with enabled security are protected from being redirected to a phishing website, such as a bank or online store, which extorts passwords and payment card details. Even though this method does not protect against all kinds of attacks on the domain structure, it blocks the “man-in-the-middle” type by applying an additional layer of the server’s response verification.

REGISTRAR LOCK
A type of security code that can be applied to a domain by its registrar which allows freezing of domain name’s data. It protects the domain owner against unwanted and unauthorized changes to the domain name. When used, it disallows any modification to the domain name which includes its transferring or deleting. It also makes it impossible to modify domain contact details.

REGISTRY LOCK
Authentication system provided by the registry that puts a lockdown on domain name’s information. Registry lock is dedicated to those users, who highly value the security of their domain names. It reduces the risk of domain hijacking, whether technical or administrative. The unlocking of a domain name is a highly secured manual process that can only be done after thorough authentication via email or telephone.

DNS over HTTPS (DoH)
DoH increases security by minimalizing the risk of spying on users’ online activity. By encrypting the messages sent between the server and a user’s computer, DoH makes it difficult for a „man-in-the-middle” to track your online activity and possibly redirect you to a website containing malware or spying and phishing software. It protects your communication with DNS by introducing a HTTPS protocol to send queries, as opposed to unencrypted and transparent information sent by DNS itself.

DNS over TLS (DoT)
Just like DNS over HTTPS, DoT is another method of encrypting the communication between your device and the replying server. It uses algorithms which transform a plain text into encoded message that is impossible to read by a third party. The data is scrambled in transit as the name Transport Layer Security (TLS) indicates and therefore cannot be manipulated by attackers. If TLS, more commonly referred to as SSL, is applied to your internet connection, it will appear in the browser address in the symbol of a padlock.

ANYCAST DNS
Contrary to unicast, anycast enables communication with many servers through the same IP address which makes the whole process much faster. Depending on its geolocation, the user’s query is resolved by the closest available server, improving and optimizing the performance. This security mechanism prevents distributed denial-of-service attacks (DDoS) which happen when a web server is overflown with requests to the targeted IP address, which causes system overload and subsequently disruption of service. Anycast DNS protects the user from DDoS attacks by spreading the traffic across multiple servers so that a single resolver is not overwhelmed with the number of queries.

EBRAND is there to advise you on the best way to secure your domain. Our experts will help you protect your brand online and make sure that your data remains private. Don’t take the risk and let us guide you through domain security services, from performing vulnerability tests to applying the best available protection mechanisms for your domain.

Lutz Berneke

Author Lutz Berneke

More posts by Lutz Berneke